Login PAM interaction suspect
Thorsten Kukuk
kukuk at suse.de
Fri Nov 18 11:37:52 UTC 2011
On Fri, Nov 18, Tomas Mraz wrote:
> On Thu, 2011-11-17 at 16:59 +0100, Thorsten Kukuk wrote:
> > On Thu, Nov 17, David Mitton wrote:
> >
> >
> > > Which was the first thing I saw login do wrong. It calls pam_open_session
> > > before pam_setcred. I'm waiting for someone to explain that.
> >
> > As I think somebody wrote already here: it's a bug in login where
> > I did send already a patch upstream.
>
> Note that the original PAM RFC has an example where the pam_setcred() is
> called AFTER the pam_open_session(). This conflict with the manual page
> was never resolved one way or another.
The requirement to call pam_setcred() before pam_open_session() was only
found out later, when people did recognize that you need to set the
credentials before calling pam_open_session, so that some things, which
needs the credentials, can work in pam_open_session(). I remember
at least pam_mount and kerberos for example.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
More information about the Pam-list
mailing list